POPULARITY
32 episodes with hackerone
6 episodes with hackerone
6 episodes with hackerone
8 episodes with hackerone
6 episodes with hackerone
3 episodes with hackerone
7 episodes with hackerone
7 episodes with hackerone
5 episodes with hackerone
3 episodes with hackerone
3 episodes with hackerone
3 episodes with hackerone
4 episodes with hackerone
![Day[0] - Zero Days for Day Zero](https://ivyfm.s3.amazonaws.com/i320/820071.jpg)
6 episodes with hackerone
3 episodes with hackerone
3 episodes with hackerone
3 episodes with hackerone
2 episodes with hackerone
Why Customer Success Can't Be Automated (And What AI Can Actually Do) In this special year-end episode of the FutureCraft GTM Podcast, hosts Ken Roden and Erin Mills sit down with Amanda Berger, Chief Customer Officer at Employ, to tackle the biggest question facing CS leaders in December 2026: What can AI actually do in customer success, and where do humans remain irreplaceable? Amanda brings 20+ years at the intersection of data and human decision-making—from AI-powered e-commerce personalization at Rich Relevance, to human-led security at HackerOne, to now implementing AI companions for recruiters. Her journey is a masterclass in understanding where the machine ends and the human begins. This conversation delivers hard truths about metrics, change management, and the future of CS roles—plus Amanda's controversial take that "if you don't use AI, AI will take your job." Unpacking the Human vs. Machine Balance in Customer Success Amanda returns with a reality check: AI doesn't understand business outcomes or motivation—humans do. She reveals how her career evolved from philosophy major studying "man versus machine" to implementing AI across radically different contexts (e-commerce, security, recruiting), giving her unique pattern recognition about what AI can genuinely do versus where it consistently fails. The Lagging Indicator Problem: Why NRR, churn, and NPS tell you what already happened (6 months ago) instead of what you can influence. Amanda makes the case for verified outcomes, leading indicators, and real-time CSAT at decision points. The 70% Rule for CS in Sales: Why most churn starts during implementation, not at renewal—and exactly when to bring CS into the deal to prevent it (technical win stage/vendor of choice). Segmentation ≠ Personalization: The jumpsuit story that proves AI is still just sophisticated bucketing, even with all the advances in 2026. True personalization requires understanding context, motivation, and individual goals. The Delegation Framework: Don't ask "what can AI do?" Ask "what parts of my job do I hate?" Delegate the tedious (formatting reports, repetitive emails, data analysis) so humans can focus on what makes them irreplaceable. Timestamps 00:00 - Introduction and AI Updates from Ken & Erin 01:28 - Welcoming Amanda Berger: From Philosophy to Customer Success 03:58 - The Man vs. Machine Question: Where AI Ends and Humans Begin 06:30 - The Jumpsuit Story: Why AI Personalization Is Still Segmentation 09:06 - Why NRR Is a Lagging Indicator (And What to Measure Instead) 12:20 - CSAT as the Most Underrated CS Metric 17:34 - The $4M Vulnerability: House Security Analogy for Attribution 21:15 - Bringing CS Into Sales at 70% Probability (The Non-Negotiable) 25:31 - Getting Customers to Actually Tell You Their Goals 28:21 - AI Companions at Employ: The Recruiting Reality Check 32:50 - The Delegation Mindset: What Parts of Your Job Do You Hate? 36:40 - Making the Case for Humans in an AI-First World 40:15 - The Framework: When to Use Digital vs. Human Touch 43:10 - The 8-Hour Workflow Reduced to 30 Minutes (Real ROI Examples) 45:30 - By 2027: The Hardest CX Role to Hire 47:49 - Lightning Round: Summarization, Implementation, Data Themes 51:09 - Wrap-Up and Key Takeaways Edited Transcript Introduction: Where Does the Machine End and Where Does the Human Begin? Erin Mills: Your career reads like a roadmap of enterprise AI evolution—from AI-powered e-commerce personalization at Rich Relevance, to human-powered collective intelligence at HackerOne, and now augmented recruiting at Employ. This doesn't feel random—it feels intentional. How has this journey shaped your philosophy on where AI belongs in customer experience? Amanda Berger: It goes back even further than that. I started my career in the late '90s in what was first called decision support, then business intelligence. All of this is really just data and how data helps humans make decisions. What's evolved through my career is how quickly we can access data and how spoon-fed those decisions are. Back then, you had to drill around looking for a needle in a haystack. Now, does that needle just pop out at you so you can make decisions based on it? I got bit by the data bug early on, realizing that information is abundant—and it becomes more abundant as the years go on. The way we access that information is the difference between making good business decisions and poor business decisions. In customer success, you realize it's really just about humans helping humans be successful. That convergence of "where's the data, where's the human" has been central to my career. The Jumpsuit Story: Why AI Personalization Is Still Just Segmentation Ken Roden: Back in 2019, you talked about being excited for AI to become truly personal—not segment-based. Flash forward to December 2026. How close are we to actual personalization? Amanda Berger: I don't think we're that close. I'll give you an example. A friend suggested I ask ChatGPT whether I should buy a jumpsuit. So I sent ChatGPT a picture and my measurements. I'm 5'2". ChatGPT's answer? "If you buy it, you should have it tailored." That's segmentation, not personalization. "You're short, so here's an answer for short people." Back in 2019, I was working on e-commerce personalization. If you searched for "black sweater" and I searched for "black sweater," we'd get different results—men's vs. women's. We called it personalization, but it was really segmentation. Fast forward to now. We have exponentially more data and better models, but we're still segmenting and calling it personalization. AI makes segmentation faster and more accessible, but it's still segmentation. Erin Mills: But did you get the jumpsuit? Amanda Berger: (laughs) No, I did not get the jumpsuit. But maybe I will. The Philosophy Degree That Predicted the Future Erin Mills: You started as a philosophy major taking "man versus machine" courses. What would your college self say? And did philosophy prepare you in ways a business degree wouldn't have? Amanda Berger: I actually love my philosophy degree because it really taught me to critically think about issues like this. I don't think I would have known back then that I was thinking about "where does the machine end and where does the human begin"—and that this was going to have so many applicable decision points throughout my career. What you're really learning in philosophy is logical thought process. If this happens, then this. And that's fundamentally the foundation for AI. "If you're short, you should get your outfit tailored." "If you have a customer with predictive churn indicators, you should contact that customer." It's enabling that logical thinking at scale. The Metrics That Actually Matter: Leading vs. Lagging Indicators Erin Mills: You've called NRR, churn rate, and NPS "lagging indicators." That's going to ruffle boardroom feathers. Make the case—what's broken, and what should we replace it with? Amanda Berger: By the time a customer churns or tells you they're gonna churn, it's too late. The best thing you can do is offer them a crazy discount. And when you're doing that, you've already kind of lost. What CS teams really need to be focused on is delivering value. If you deliver value—we all have so many competing things to do—if a SaaS tool is delivering value, you're probably not going to question it. If there's a question about value, then you start introducing lower price or competitors. And especially in enterprise, customers decide way, way before they tell you whether they're gonna pull the technology out. You usually miss the signs. So you've gotta look at leading indicators. What are the signs? And they're different everywhere I've gone. I've worked for companies where if there's a lot of engagement with support, that's a sign customers really care and are trying to make the technology work—it's a good sign, churn risk is low. Other companies I've worked at, when customers are heavily engaged with support, they're frustrated and it's not working—churn risk is high. You've got to do the work to figure out what those churn indicators are and how they factor into leading indicators: Are they achieving verified outcomes? Are they healthy? Are there early risk warnings? CSAT: The Most Underrated Metric Ken Roden: You're passionate about customer satisfaction as a score because it's granular and actionable. Can you share a time where CSAT drove a change and produced a measurable business result? Amanda Berger: I spent a lot of my career in security. And that's tough for attribution. In e-commerce, attribution is clear: Person saw recommendations, put them in cart, bought them. In hiring, their time-to-fill is faster—pretty clear. But in security, it's less clear. I love this example: We all live in houses, right? None of our houses got broken into last night. You don't go to work saying, "I had such a good night because my house didn't get broken into." You just expect that. And when your house didn't get broken into, you don't know what to attribute that to. Was it the locked doors? Alarm system? Dog? Safe neighborhood? That's true with security in general. You have to really think through attribution. Getting that feedback is really important. In surveys we've done, we've gotten actionable feedback. Somebody was able to detect a vulnerability, and we later realized it could have been tied to something that would have cost $4 million to settle. That's the kind of feedback you don't get without really digging around for it. And once you get that once, you're able to tie attribution to other things. Bringing CS Into the Sales Cycle: The 70% Rule Erin Mills: You're a religious believer in bringing CS into the sales cycle. When exactly do you insert CS, and how do you build trust without killing velocity? Amanda Berger: With bigger customers, I like to bring in somebody from CX when the deal is at the technical win stage or 70% probability—vendor of choice stage. Usually it's for one of two reasons: One: If CX is gonna have to scope and deliver, I really like CX to be involved. You should always be part of deciding what you're gonna be accountable to deliver. And I think so much churn actually starts to happen when an implementation goes south before anyone even gets off the ground. Two: In this world of technology, what really differentiates an experience is humans. A lot of our technology is kind of the same. Competitive differentiation is narrower and narrower. But the approach to the humans and the partnership—that really matters. And that can make the difference during a sales cycle. Sometimes I have to convince the sales team this is true. But typically, once I'm able to do that, they want it. Because it does make a big difference. Technology makes us successful, but humans do too. That's part of that balance between what's the machine and what is the human. The Art of Getting Customers to Articulate Their Goals Ken Roden: One challenge CS teams face is getting customers to articulate their goals. Do customers naturally say what they're looking to achieve, or do you have a process to pull it out? Amanda Berger: One challenge is that what a recruiter's goal is might be really different than what the CFO's goal is. Whose outcome is it? One reason you want to get involved during the sales cycle is because customers tell you what they're looking for then. It's very clear. And nothing frustrates a company more than "I told you that, and now you're asking me again? Why don't you just ask the person selling?" That's infuriating. Now, you always have legacy customers where a new CSM comes in and has to figure it out. Sometimes the person you're asking just wants to do their job more efficiently and can't necessarily tie it back to the bigger picture. That's where the art of triangulation and relationships comes in—asking leading discovery questions to understand: What is the business impact really? But if you can't do that as a CS leader, you probably won't be successful and won't retain customers for the long term. AI as Companion, Not Replacement: The Employ Philosophy Erin Mills: At Employ, you're implementing AI companions for recruiters. How do you think about when humans are irreplaceable versus when AI should step in? Amanda Berger: This is controversial because we're talking about hiring, and hiring is so close to people's hearts. That's why we really think about companions. I earnestly hope there's never a world where AI takes over hiring—that's scary. But AI can help companies and recruiters be more efficient. Job seekers are using AI. Recruiters tell me they're getting 200-500% more applicants than before because people are using AI to apply to multiple jobs quickly or modify their resumes. The only way recruiters can keep up is by using AI to sort through that and figure out best fits. So AI is a tool and a friend to that recruiter. But it can't take over the recruiter. The Delegation Framework: What Do You Hate Doing? Ken Roden: How do you position AI as companion rather than threat? Amanda Berger: There's definitely fear. Some is compliance-based—totally justifiable. There's also people worried about AI taking their jobs. I think if you don't use AI, AI is gonna take your job. If you use AI, it's probably not. I've always been a big fan of delegation. In every aspect of my life: If there's something I don't want to do, how can I delegate it? Professionally, I'm not very good at putting together beautiful PowerPoint presentations. I don't want to do it. But AI can do that for me now. Amazingly well. What I'm really bad at is figuring out bullets and formatting. AI does that. So I think about: What are the things I don't want to do? Usually we don't want to do the things we're not very good at or that are tedious. Use AI to do those things so you can focus on the things you're really good at. Maybe what I'm really good at is thinking strategically about engaging customers or articulating a message. I can think about that, but AI can build that PowerPoint. I don't have to think about "does my font match here?" Take the parts of your job that you don't like—sending the same email over and over, formatting things, thinking about icebreaker ideas—leverage AI for that so you can do those things that make you special and make you stand out. The people who can figure that out and leverage it the right way will be incredibly successful. Making the Case to Keep Humans in CS Ken Roden: Leaders face pressure from boards and investors to adopt AI more—potentially leading to roles being cut. How do you make the case for keeping humans as part of customer success? Amanda Berger: AI doesn't understand business outcomes and motivation. It just doesn't. Humans understand that. The key to relationships and outcomes is that understanding. The humanity is really important. At HackerOne, it was basically a human security company. There are millions of hackers who want to identify vulnerabilities before bad actors get to them. There are tons of layers of technology—AI-driven, huge stacks of security technology. And yet no matter what, there's always vulnerabilities that only a human can detect. You want full-stack security solutions—but you have to have that human solution on top of it, or you miss things. That's true with customer success too. There's great tooling that makes it easier to find that needle in the haystack. But once you find it, what do you do? That's where the magic comes in. That's where a human being needs to get involved. Customer success—it is called customer success because it's about success. It's not called customer retention. We do retain through driving success. AI can point out when a customer might not be successful or when there might be an indication of that. But it can't solve that and guide that customer to what they need to be doing to get outcomes that improve their business. What actually makes success is that human element. Without that, we would just be called customer retention. The Framework: When to Use Digital vs. Human Touch Erin Mills: We'd love to get your framework for AI-powered customer experience. How do you make those numbers real for a skeptical CFO? Amanda Berger: It's hard to talk about customer approach without thinking about customer segmentation. It's very different in enterprise versus a scaled model. I've dealt with a lot of scale in my last couple companies. I believe that the things we do to support that long tail—those digital customers—we need to do for all customers. Because while everybody wants human interaction, they don't always want it. Think about: As a person, where do I want to interact digitally with a machine? If it's a bot, I only want to interact with it until it stops giving me good answers. Then I want to say, "Stop, let me talk to an operator." If I can find a document or video that shows me how to do something quickly rather than talking to a human, it's human nature to want to do that. There are obvious limits. If I can change my flight on my phone app, I'm gonna do that rather than stand at a counter. Come back to thinking: As a human, what's the framework for where I need a human to get involved? Second, it's figuring out: How do I predict what's gonna happen with my customers? What are the right ways of looking and saying "this is a risk area"? Creating that framework. Once you've got that down, it's an evolution of combining: Where does the digital interaction start? Where does it stop? What am I looking for that's going to trigger a human interaction? Being able to figure that out and scale that—that's the thing everybody is trying to unlock. The 8-Hour Workflow Reduced to 30 Minutes Erin Mills: You've mentioned turning some workflows from an 8-hour task to 30 minutes. What roles absorbed the time dividend? What were rescoped? Amanda Berger: The roles with a lot of repetition and repetitive writing. AI is incredible when it comes to repetitive writing and templatization. A lot of times that's more in support or managed services functions. And coding—any role where you're coding, compiling code, or checking code. There's so much efficiency AI has already provided. I think less so on the traditional customer success management role. There's definitely efficiencies, but not that dramatic. Where I've seen it be really dramatic is in managed service examples where people are doing repetitive tasks—they have to churn out reports. It's made their jobs so much better. When they provide those services now, they can add so much more value. Rather than thinking about churning out reports, they're able to think about: What's the content in my reports? That's very beneficial for everyone. By 2027: The Hardest CX Role to Hire Erin Mills: Mad Libs time. By 2027, the hardest CX job to hire will be _______ because of _______. Amanda Berger: I think it's like these forward-deployed engineer types of roles. These subject matter experts. One challenge in CS for a while has been: What's the value of my customer success manager? Are they an expert? Or are they revenue-driven? Are they the retention person? There's been an evolution of maybe they need to be the expert. And what does that mean? There'll continue to be evolution on that. And that'll be the hardest role. That standard will be very, very hard. Lightning Round Ken Roden: What's one AI workflow go-to-market teams should try this week? Amanda Berger: Summarization. Put your notes in, get a summary, get the bullets. AI is incredible for that. Ken Roden: What's one role in go-to-market that's underusing AI right now? Amanda Berger: Implementation. Ken Roden: What's a non-obvious AI use case that's already working? Amanda Berger: Data-related. People are still scared to put data in and ask for themes. Putting in data and asking for input on what are the anomalies. Ken Roden: For the go-to-market leader who's not seeing value in AI—what should they start doing differently tomorrow? Amanda Berger: They should start having real conversations about why they're not seeing value. Take a more human-led, empathetic approach to: Why aren't they seeing it? Are they not seeing adoption, or not seeing results? I would guess it's adoption, and then it's drilling into the why. Ken Roden: If you could DM one thing to all go-to-market leaders, what would it be? Amanda Berger: Look at your leading indicators. Don't wait. Understand your customer, be empathetic, try to get results that matter to them. Key Takeaways The Human-AI Balance in Customer Success: AI doesn't understand business outcomes or motivation—humans do. The winning teams use AI to find patterns and predict risk, then deploy humans to understand why it matters and what strategic action to take. The Lagging Indicator Trap: By the time NRR, churn rate, or NPS move, customers decided 6 months ago. Focus on leading indicators you can actually influence: verified outcomes, engagement signals specific to your business, early risk warnings, and real-time CSAT at decision points. The 70% Rule: Bring CS into the sales cycle at the technical win stage (70% probability) for two reasons: (1) CS should scope what they'll be accountable to deliver, and (2) capturing customer goals early prevents the frustrating "I already told your sales rep" moment later. Segmentation ≠ Personalization: AI makes segmentation faster and cheaper, but true personalization requires understanding context, motivation, and individual circumstances. The jumpsuit story proves we're still just sophisticated bucketing, even with 2026's advanced models. The Delegation Framework: Don't ask "what can AI do?" Ask "what parts of my job do I hate?" Delegate the tedious (formatting, repetitive emails, data analysis) so humans can focus on strategy, relationships, and outcomes that only humans can drive. "If You Don't Use AI, AI Will Take Your Job": The people resisting AI out of fear are most at risk. The people using AI to handle drudgery and focusing on what makes them irreplaceable—strategic thinking, relationship-building, understanding nuanced goals—are the future leaders. Customer Success ≠ Customer Retention: The name matters. Your job isn't preventing churn through discounts and extensions. Your job is driving verified business outcomes that make customers want to stay because you're improving their business. Stay Connected To listen to the full episode and stay updated on future episodes, visit the FutureCraft GTM website. Connect with Amanda Berger: Connect with Amanda on LinkedIn Employ Disclaimer: This podcast is for informational and entertainment purposes only and should not be considered advice. The views and opinions expressed in this podcast are our own and do not represent those of any company or business we currently work for/with or have worked for/with in the past.
Mårten Mickos on johtanut kolmea globaalia teknologiayritystä ja vienyt yhden niistä yli miljardin dollarin yrityskauppaan. Tänään hän käyttää suuren osan ajastaan nuorten startup-toivojen valmentamiseen ja kasvuajattelun edistämiseen. Mårtenin johtamat MySQL, Eucalyptus ja HackerOne olivat edelläkävijöitä hajautetussa organisaatiorakenteessa, etätyössä, verkostoissa ja vastuunjaossa. Hän syventyi tähän kaikkeen ja käänsi ne menestystarinoiksi ennen kuin moni ehti edes jyvälle etätyöstä tai verkosto-organisaatioista. Siksi keskitymme tässä podcastissa siihen, minkä Mårten osaa parhaiten, eli johtamiseen. Vauhtia haemme hänen uuden kirjansa Kasvun kaava teemoista. Puhumme myös paljon kulttuurin ja arvojen merkityksestä sekä tietenkin siitä, kuinka Suomi saataisiin heräämään horroksesta. Mårtenin avainsana tässä on toimijuus, ihmisen kokemus ja ymmärrys siitä, että hänellä on velvollisuus toimia. Hyviä kuunteluhetkiä!
All links and images can be found on CISO Series. Check out this post by Ross Haleliuk of Venture in Security for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining us is Davi Ottenheimer, vp, trust and digital ethics, Inrupt. In this episode: Network security isn't dying—it's evolving The observability layer that can't be replaced What's old is new again The innovation gap Huge thanks to our sponsor, HackerOne Discover how AI innovators like Adobe, Anthropic, and Snap are using AI to find and fix vulnerabilities across the software development lifecycle. HackerOne, the global leader in offensive security solutions, reveals all in the CISOs' guide to securing the future of AI. Download it now to see how AI can strengthen your security posture. Learn more at https://www.hackerone.com/
Discover how AI is revolutionizing the world of security in this episode of GRC Chats! We discussed the "210% rise in vulnerability findings" uncovered in the latest Hacker Powered Security Report with Laurie Mercer, Senior Director of Solutions at HackerOne. Laurie shares exclusive insights into the dramatic growth of AI-powered systems, the evolving landscape of vulnerabilities, and the rise of AI-enabled hack bots. Learn how organizations can adapt to this rapidly changing environment to stay ahead in Risk Management, Cyber Security, and ethical hacking.
All links and images can be found on CISO Series. Check out this post by Evgeniy Kharam for the discussion that is the basis of our conversation on this week's episode co-hosted by David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining them is Ryan Dunn, Leader of Product and Supply Chain Technology, Specialized Bicycle Components. And check out "Architecting Success: The Art of Soft Skills in Technical Sales: Connect to Sell More" by Evgeniy Kharam we referenced in this episode. In this episode: Beyond the technical playbook Influencing without authority Partnering, not just selling The deliberate work of connection Thanks to our sponsor, HackerOne Discover how AI innovators like Adobe, Anthropic, and Snap are using AI to find and fix vulnerabilities across the software development lifecycle. HackerOne, the global leader in offensive security solutions, reveals all in the CISOs' guide to securing the future of AI. Download it now to see how AI can strengthen your security posture. https://www.hackerone.com/report/future-of-ai?utm_medium=Paid-Newsletter&utm_source=cisoseries&utm_campaign=Parent-FY25-AIAwarenessCampaign-GL
Google's new demand for developer registration could spell the end for open-source app stores, while Europe's controversial chat control vote threatens privacy for everyone—Steve and Leo break down what's at stake for devs and users alike. Qantas says no one can releak their stolen data. Brave's usage is up. But is it really 3 times faster. Next Tuesday the EU votes on "Chat Control". Microsoft formally launches a "Security Store". Outlook moves to block JavaScript in SVG's. A new release of Chrome. Gmail will no longer pull external email via POP. Googe Drive starts blocking ransomware encryptions. The UK issues another order to Apple. Researchers create a "Battering RAM" attack device. HackerOne's significant bug bounty payouts. The Imgur service goes dark across the UK. Guess why. The Netherlands plans to say NO to "Chat Control." Discord was breached and government IDs leaked. Salesforce says it's not another new breach. Signal introduces a new post-quantum ratchet. Your motherboard MIGHT support TPM 2.0. Google to force Android app devs to register and pay Show Notes - https://www.grc.com/sn/SN-1046-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: threatlocker.com for Security Now joindeleteme.com/twit promo code TWIT hoxhunt.com/securitynow bitwarden.com/twit veeam.com
Google's new demand for developer registration could spell the end for open-source app stores, while Europe's controversial chat control vote threatens privacy for everyone—Steve and Leo break down what's at stake for devs and users alike. Qantas says no one can releak their stolen data. Brave's usage is up. But is it really 3 times faster. Next Tuesday the EU votes on "Chat Control". Microsoft formally launches a "Security Store". Outlook moves to block JavaScript in SVG's. A new release of Chrome. Gmail will no longer pull external email via POP. Googe Drive starts blocking ransomware encryptions. The UK issues another order to Apple. Researchers create a "Battering RAM" attack device. HackerOne's significant bug bounty payouts. The Imgur service goes dark across the UK. Guess why. The Netherlands plans to say NO to "Chat Control." Discord was breached and government IDs leaked. Salesforce says it's not another new breach. Signal introduces a new post-quantum ratchet. Your motherboard MIGHT support TPM 2.0. Google to force Android app devs to register and pay Show Notes - https://www.grc.com/sn/SN-1046-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: threatlocker.com for Security Now joindeleteme.com/twit promo code TWIT hoxhunt.com/securitynow bitwarden.com/twit veeam.com
Google's new demand for developer registration could spell the end for open-source app stores, while Europe's controversial chat control vote threatens privacy for everyone—Steve and Leo break down what's at stake for devs and users alike. Qantas says no one can releak their stolen data. Brave's usage is up. But is it really 3 times faster. Next Tuesday the EU votes on "Chat Control". Microsoft formally launches a "Security Store". Outlook moves to block JavaScript in SVG's. A new release of Chrome. Gmail will no longer pull external email via POP. Googe Drive starts blocking ransomware encryptions. The UK issues another order to Apple. Researchers create a "Battering RAM" attack device. HackerOne's significant bug bounty payouts. The Imgur service goes dark across the UK. Guess why. The Netherlands plans to say NO to "Chat Control." Discord was breached and government IDs leaked. Salesforce says it's not another new breach. Signal introduces a new post-quantum ratchet. Your motherboard MIGHT support TPM 2.0. Google to force Android app devs to register and pay Show Notes - https://www.grc.com/sn/SN-1046-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: threatlocker.com for Security Now joindeleteme.com/twit promo code TWIT hoxhunt.com/securitynow bitwarden.com/twit veeam.com
Google's new demand for developer registration could spell the end for open-source app stores, while Europe's controversial chat control vote threatens privacy for everyone—Steve and Leo break down what's at stake for devs and users alike. Qantas says no one can releak their stolen data. Brave's usage is up. But is it really 3 times faster. Next Tuesday the EU votes on "Chat Control". Microsoft formally launches a "Security Store". Outlook moves to block JavaScript in SVG's. A new release of Chrome. Gmail will no longer pull external email via POP. Googe Drive starts blocking ransomware encryptions. The UK issues another order to Apple. Researchers create a "Battering RAM" attack device. HackerOne's significant bug bounty payouts. The Imgur service goes dark across the UK. Guess why. The Netherlands plans to say NO to "Chat Control." Discord was breached and government IDs leaked. Salesforce says it's not another new breach. Signal introduces a new post-quantum ratchet. Your motherboard MIGHT support TPM 2.0. Google to force Android app devs to register and pay Show Notes - https://www.grc.com/sn/SN-1046-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: threatlocker.com for Security Now joindeleteme.com/twit promo code TWIT hoxhunt.com/securitynow bitwarden.com/twit veeam.com
Google's new demand for developer registration could spell the end for open-source app stores, while Europe's controversial chat control vote threatens privacy for everyone—Steve and Leo break down what's at stake for devs and users alike. Qantas says no one can releak their stolen data. Brave's usage is up. But is it really 3 times faster. Next Tuesday the EU votes on "Chat Control". Microsoft formally launches a "Security Store". Outlook moves to block JavaScript in SVG's. A new release of Chrome. Gmail will no longer pull external email via POP. Googe Drive starts blocking ransomware encryptions. The UK issues another order to Apple. Researchers create a "Battering RAM" attack device. HackerOne's significant bug bounty payouts. The Imgur service goes dark across the UK. Guess why. The Netherlands plans to say NO to "Chat Control." Discord was breached and government IDs leaked. Salesforce says it's not another new breach. Signal introduces a new post-quantum ratchet. Your motherboard MIGHT support TPM 2.0. Google to force Android app devs to register and pay Show Notes - https://www.grc.com/sn/SN-1046-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: threatlocker.com for Security Now joindeleteme.com/twit promo code TWIT hoxhunt.com/securitynow bitwarden.com/twit veeam.com
Google's new demand for developer registration could spell the end for open-source app stores, while Europe's controversial chat control vote threatens privacy for everyone—Steve and Leo break down what's at stake for devs and users alike. Qantas says no one can releak their stolen data. Brave's usage is up. But is it really 3 times faster. Next Tuesday the EU votes on "Chat Control". Microsoft formally launches a "Security Store". Outlook moves to block JavaScript in SVG's. A new release of Chrome. Gmail will no longer pull external email via POP. Googe Drive starts blocking ransomware encryptions. The UK issues another order to Apple. Researchers create a "Battering RAM" attack device. HackerOne's significant bug bounty payouts. The Imgur service goes dark across the UK. Guess why. The Netherlands plans to say NO to "Chat Control." Discord was breached and government IDs leaked. Salesforce says it's not another new breach. Signal introduces a new post-quantum ratchet. Your motherboard MIGHT support TPM 2.0. Google to force Android app devs to register and pay Show Notes - https://www.grc.com/sn/SN-1046-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: threatlocker.com for Security Now joindeleteme.com/twit promo code TWIT hoxhunt.com/securitynow bitwarden.com/twit veeam.com
Google's new demand for developer registration could spell the end for open-source app stores, while Europe's controversial chat control vote threatens privacy for everyone—Steve and Leo break down what's at stake for devs and users alike. Qantas says no one can releak their stolen data. Brave's usage is up. But is it really 3 times faster. Next Tuesday the EU votes on "Chat Control". Microsoft formally launches a "Security Store". Outlook moves to block JavaScript in SVG's. A new release of Chrome. Gmail will no longer pull external email via POP. Googe Drive starts blocking ransomware encryptions. The UK issues another order to Apple. Researchers create a "Battering RAM" attack device. HackerOne's significant bug bounty payouts. The Imgur service goes dark across the UK. Guess why. The Netherlands plans to say NO to "Chat Control." Discord was breached and government IDs leaked. Salesforce says it's not another new breach. Signal introduces a new post-quantum ratchet. Your motherboard MIGHT support TPM 2.0. Google to force Android app devs to register and pay Show Notes - https://www.grc.com/sn/SN-1046-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: threatlocker.com for Security Now joindeleteme.com/twit promo code TWIT hoxhunt.com/securitynow bitwarden.com/twit veeam.com
Google's new demand for developer registration could spell the end for open-source app stores, while Europe's controversial chat control vote threatens privacy for everyone—Steve and Leo break down what's at stake for devs and users alike. Qantas says no one can releak their stolen data. Brave's usage is up. But is it really 3 times faster. Next Tuesday the EU votes on "Chat Control". Microsoft formally launches a "Security Store". Outlook moves to block JavaScript in SVG's. A new release of Chrome. Gmail will no longer pull external email via POP. Googe Drive starts blocking ransomware encryptions. The UK issues another order to Apple. Researchers create a "Battering RAM" attack device. HackerOne's significant bug bounty payouts. The Imgur service goes dark across the UK. Guess why. The Netherlands plans to say NO to "Chat Control." Discord was breached and government IDs leaked. Salesforce says it's not another new breach. Signal introduces a new post-quantum ratchet. Your motherboard MIGHT support TPM 2.0. Google to force Android app devs to register and pay Show Notes - https://www.grc.com/sn/SN-1046-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: threatlocker.com for Security Now joindeleteme.com/twit promo code TWIT hoxhunt.com/securitynow bitwarden.com/twit veeam.com
All links and images can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap. Joining us is our sponsored guest, Kara Sprague, CEO, HackerOne. In this episode: Shadow AI as a control problem Rethinking identity for autonomous agents When process meets momentum Beyond blocking: channeling AI usage Huge thanks to our sponsor, HackerOne Discover how AI innovators like Adobe, Anthropic, and Snap are using AI to find and fix vulnerabilities across the software development lifecycle. HackerOne, the global leader in offensive security solutions, reveals all in the CISOs' guide to securing the future of AI. Download it now to see how AI can strengthen your security posture. Learn more at https://www.hackerone.com/
Apple just rewrote the rules of device security with a chip-level upgrade that could wipe out most iPhone vulnerabilities overnight. Find out how "memory integrity enforcement" aims to make exploits a thing of the past—and why it took half a decade to pull off. Are Bitcoin ATMs anything more than scamming terminals. Ransomware hits the Uvalde school district and Jaguar. Did "Scattered LapSus Hunters" just throw in the towel. Germany, for one, to vote "no" on Chat Control. Russia's new MAX messenger has startup troubles. Samsung follows Apple's WhatsApp patch chain. Shocker: UK school hacks are mostly by students. HackerOne was hacked. Connected washing machines in Amsterdam hacked. DDoS breaks another record. Bluesky to implement conditional age verification. Enforcement actions for Global Privacy Control. Might Apple have finally beaten vulnerabilities Show Notes - https://www.grc.com/sn/SN-1043-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT vanta.com/SECURITYNOW threatlocker.com for Security Now bitwarden.com/twit Melissa.com/twit
Apple just rewrote the rules of device security with a chip-level upgrade that could wipe out most iPhone vulnerabilities overnight. Find out how "memory integrity enforcement" aims to make exploits a thing of the past—and why it took half a decade to pull off. Are Bitcoin ATMs anything more than scamming terminals. Ransomware hits the Uvalde school district and Jaguar. Did "Scattered LapSus Hunters" just throw in the towel. Germany, for one, to vote "no" on Chat Control. Russia's new MAX messenger has startup troubles. Samsung follows Apple's WhatsApp patch chain. Shocker: UK school hacks are mostly by students. HackerOne was hacked. Connected washing machines in Amsterdam hacked. DDoS breaks another record. Bluesky to implement conditional age verification. Enforcement actions for Global Privacy Control. Might Apple have finally beaten vulnerabilities Show Notes - https://www.grc.com/sn/SN-1043-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT vanta.com/SECURITYNOW threatlocker.com for Security Now bitwarden.com/twit Melissa.com/twit
Apple just rewrote the rules of device security with a chip-level upgrade that could wipe out most iPhone vulnerabilities overnight. Find out how "memory integrity enforcement" aims to make exploits a thing of the past—and why it took half a decade to pull off. Are Bitcoin ATMs anything more than scamming terminals. Ransomware hits the Uvalde school district and Jaguar. Did "Scattered LapSus Hunters" just throw in the towel. Germany, for one, to vote "no" on Chat Control. Russia's new MAX messenger has startup troubles. Samsung follows Apple's WhatsApp patch chain. Shocker: UK school hacks are mostly by students. HackerOne was hacked. Connected washing machines in Amsterdam hacked. DDoS breaks another record. Bluesky to implement conditional age verification. Enforcement actions for Global Privacy Control. Might Apple have finally beaten vulnerabilities Show Notes - https://www.grc.com/sn/SN-1043-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT vanta.com/SECURITYNOW threatlocker.com for Security Now bitwarden.com/twit Melissa.com/twit
Apple just rewrote the rules of device security with a chip-level upgrade that could wipe out most iPhone vulnerabilities overnight. Find out how "memory integrity enforcement" aims to make exploits a thing of the past—and why it took half a decade to pull off. Are Bitcoin ATMs anything more than scamming terminals. Ransomware hits the Uvalde school district and Jaguar. Did "Scattered LapSus Hunters" just throw in the towel. Germany, for one, to vote "no" on Chat Control. Russia's new MAX messenger has startup troubles. Samsung follows Apple's WhatsApp patch chain. Shocker: UK school hacks are mostly by students. HackerOne was hacked. Connected washing machines in Amsterdam hacked. DDoS breaks another record. Bluesky to implement conditional age verification. Enforcement actions for Global Privacy Control. Might Apple have finally beaten vulnerabilities Show Notes - https://www.grc.com/sn/SN-1043-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT vanta.com/SECURITYNOW threatlocker.com for Security Now bitwarden.com/twit Melissa.com/twit
Apple just rewrote the rules of device security with a chip-level upgrade that could wipe out most iPhone vulnerabilities overnight. Find out how "memory integrity enforcement" aims to make exploits a thing of the past—and why it took half a decade to pull off. Are Bitcoin ATMs anything more than scamming terminals. Ransomware hits the Uvalde school district and Jaguar. Did "Scattered LapSus Hunters" just throw in the towel. Germany, for one, to vote "no" on Chat Control. Russia's new MAX messenger has startup troubles. Samsung follows Apple's WhatsApp patch chain. Shocker: UK school hacks are mostly by students. HackerOne was hacked. Connected washing machines in Amsterdam hacked. DDoS breaks another record. Bluesky to implement conditional age verification. Enforcement actions for Global Privacy Control. Might Apple have finally beaten vulnerabilities Show Notes - https://www.grc.com/sn/SN-1043-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT vanta.com/SECURITYNOW threatlocker.com for Security Now bitwarden.com/twit Melissa.com/twit
Apple just rewrote the rules of device security with a chip-level upgrade that could wipe out most iPhone vulnerabilities overnight. Find out how "memory integrity enforcement" aims to make exploits a thing of the past—and why it took half a decade to pull off. Are Bitcoin ATMs anything more than scamming terminals. Ransomware hits the Uvalde school district and Jaguar. Did "Scattered LapSus Hunters" just throw in the towel. Germany, for one, to vote "no" on Chat Control. Russia's new MAX messenger has startup troubles. Samsung follows Apple's WhatsApp patch chain. Shocker: UK school hacks are mostly by students. HackerOne was hacked. Connected washing machines in Amsterdam hacked. DDoS breaks another record. Bluesky to implement conditional age verification. Enforcement actions for Global Privacy Control. Might Apple have finally beaten vulnerabilities Show Notes - https://www.grc.com/sn/SN-1043-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT vanta.com/SECURITYNOW threatlocker.com for Security Now bitwarden.com/twit Melissa.com/twit
Apple just rewrote the rules of device security with a chip-level upgrade that could wipe out most iPhone vulnerabilities overnight. Find out how "memory integrity enforcement" aims to make exploits a thing of the past—and why it took half a decade to pull off. Are Bitcoin ATMs anything more than scamming terminals. Ransomware hits the Uvalde school district and Jaguar. Did "Scattered LapSus Hunters" just throw in the towel. Germany, for one, to vote "no" on Chat Control. Russia's new MAX messenger has startup troubles. Samsung follows Apple's WhatsApp patch chain. Shocker: UK school hacks are mostly by students. HackerOne was hacked. Connected washing machines in Amsterdam hacked. DDoS breaks another record. Bluesky to implement conditional age verification. Enforcement actions for Global Privacy Control. Might Apple have finally beaten vulnerabilities Show Notes - https://www.grc.com/sn/SN-1043-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT vanta.com/SECURITYNOW threatlocker.com for Security Now bitwarden.com/twit Melissa.com/twit
Apple just rewrote the rules of device security with a chip-level upgrade that could wipe out most iPhone vulnerabilities overnight. Find out how "memory integrity enforcement" aims to make exploits a thing of the past—and why it took half a decade to pull off. Are Bitcoin ATMs anything more than scamming terminals. Ransomware hits the Uvalde school district and Jaguar. Did "Scattered LapSus Hunters" just throw in the towel. Germany, for one, to vote "no" on Chat Control. Russia's new MAX messenger has startup troubles. Samsung follows Apple's WhatsApp patch chain. Shocker: UK school hacks are mostly by students. HackerOne was hacked. Connected washing machines in Amsterdam hacked. DDoS breaks another record. Bluesky to implement conditional age verification. Enforcement actions for Global Privacy Control. Might Apple have finally beaten vulnerabilities Show Notes - https://www.grc.com/sn/SN-1043-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT vanta.com/SECURITYNOW threatlocker.com for Security Now bitwarden.com/twit Melissa.com/twit
The Great Firewall of China, Jaguar Land Rover, Workday, Facebook, Tenable and Qualys, HackerOne and so much more are all part of this week's breaches!
More than 7.5 million global cyber incidents were reported in the first half of 2025, a 19% rise on the same period last year. To combat the surge in attacks, Integrity360 is announcing an exclusive Irish partnership with global bug bounty leader HackerOne. This partnership gives businesses direct local access to a trusted network of more than two million ethical hackers, delivering real-time vulnerability discovery and remediation before threats can be exploited. Cyber attacks are increasing in both sophistication and volume, with large organisations -particularly those with web-facing infrastructure - experiencing relentless attempts to identify and exploit weaknesses. While traditional penetration testing and red teaming remain essential, a well organised bug bounty programme takes cyber security to the next level. Integrity360's collaboration with HackerOne adds an 'always-on' layer of human-led testing, giving enterprises continuous visibility into emerging threats and an attacker's eye view of their systems. Drawing on HackerOne's global community of security researchers, Integrity360 identifies vulnerabilities that automated tools might miss. With access to over two million ethical hackers, security teams can prioritise and remediate critical risks faster - a capability that would be virtually impossible for any single organisation to replicate in-house. Furthermore, you only pay for exposures that are discovered, providing excellent return on investment. The collaboration expands the cyber security testing portfolio of Integrity360, enabling delivery of an end-to-end service that spans scheduled assessments, red teaming, and continuous researcher-led testing. While HackerOne underpins the platform with its unparalleled crowd-powered expertise, Integrity360 ensures seamless integration into clients' security programmes. "Technology alone can't match the creativity and persistence of a determined attacker," said Richard Ford, CTO at Integrity360. "By partnering with HackerOne, we are enabling organisations to tap into a vast, global community of security researchers who continuously probe for weaknesses. This is proactive defence in action, which is designed to uncover and fix issues before they become security incidents." John Addeo, VP of Global Channels at HackerOne, said: "Integrity360 brings deep enterprise security expertise, while our hacker community provides real-world insight that tools alone can't deliver. Together, we help organisations find and fix vulnerabilities faster, reducing their attack surface in an increasingly complex threat environment." The move reflects a wider industry shift from periodic, compliance-driven assessments to continuous, community-powered protection. As cyber threats continue to evolve, the ability to detect and respond to vulnerabilities in real-time will become a critical benchmark for effective cyber defence. See more stories here.
Three Buddy Problem - Episode 57: Brandon Dixon (PassiveTotal/RiskIQ, Microsoft) leads a deep-dive into the collision of AI and cybersecurity. We tackle Google's “Big Sleep” project, XBOW's HackerOne automation hype, the long-running tension between big tech ownership of critical security tools and the community's need for open access. Plus, the future of SOC automation to AI-assisted pen testing, how agentic AI could transform the cyber talent bottlenecks and operational inefficiencies, geopolitical debates over backdoors in GPUs and the strategic implications of China's AI model development. Cast: Brandon Dixon (https://www.linkedin.com/in/brandonsdixon/), Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), and Ryan Naraine (https://twitter.com/ryanaraine).
Founder and CTO Alex Rice discusses how HackerOne uses generative AI to automate security workflows and prioritizing accuracy over efficiency to achieve end-to-end outcomes.Topics Include:HackerOne uses ethical hackers and AI to find vulnerabilities before criminalsWhite hat hackers stress test systems to identify security weaknesses proactivelyGenerative AI plays a huge role in HackerOne's security operationsSecurity teams struggle with constant toil of finding and fixing vulnerabilitiesAI helps minimize toil through natural language interfaces and automationBoth good and bad actors have access to generative AI toolsSuccess requires measuring individual task inputs and outputs, not just aggregatesBreaking down workflows into granular tasks reveals measurable AI improvementsHackerOne deployed "Hive," their AI security agent to reduce customer toilInitial focus was on tasks where AI clearly outperformed humansStarted with low-hanging fruit before tackling more complex strategic workflowsAccuracy is the primary success metric, not just efficiency or speedSecurity requires precision; wrong fixes create bigger problems than inefficiencyCustomer acceptance and reduced time to remediation are north star metricsHumans remain the source of truth for validation and feedback loopsBreak down human jobs into granular AI tasks using systems thinkingBuild specific agents for individual tasks rather than entire job rolesKeep humans accountable for end-to-end outcomes to maintain customer trustAWS Bedrock chosen for security, confidentiality, and data separation requirementsMoving from efficiency improvements to entirely new AI-enabled capabilitiesParticipants:Alex Rice – Founder & CTO/CISO, HackerOneFurther Links:HackerOne WebsiteHackerOne on AWS MarketplaceSee how Amazon Web Services gives you the freedom to migrate, innovate, and scale your software company at https://aws.amazon.com/isv/
In this episode, we explore the revolutionary concept of autonomous penetration testing with a discussion into Cybersecurity startup XBOW's recent breakthrough. XBOW claims to have topped HackerOne's leaderboard using a fully autonomous AI agent, raising significant questions about the future of offensive security. Hosts discuss the potential of AI in pen testing, the implications for […] The post Autonomous Hacking? This Startup May Have Just Changed Penetration Testing Forever appeared first on Shared Security Podcast.
Drex covers three critical cybersecurity developments: Expo's groundbreaking AI-powered penetration testing system dominates HackerOne with over 1,000 vulnerabilities found, Microsoft redesigns the iconic Blue Screen of Death after 40 years, and the Scattered Spider ransomware group pivots from insurance to airline industry attacks using advanced social engineering and deepfakes.Remember, Stay a Little Paranoid X: This Week Health LinkedIn: This Week Health Donate: Alex's Lemonade Stand: Foundation for Childhood Cancer
The new cybersecurity pioneers aren't chasing alerts, they're building with AI. But what happens when tools meant to assist begin making decisions for us? And what skills do we lose when machines fill the gaps we used to grow into? In this episode, Chris Cochran, CEO and Founder of Commandant, returns to Hacker Valley Studio with an insider view on building in the AI boom. He shares why he's betting on incident response over the “AI SOC,” what it means to use AI with integrity, and how this moment mirrors the early industrial revolutions: chaotic, risky, but ripe with once-in-a-career opportunity. Impactful Moments: 00:00 – Introduction 02:11 – Launch of Commandant AI 03:06 – Early-stage LLM opportunities 05:26 – Built first AI co-pilot in 4 hours 06:00 – AI bot tops HackerOne leaderboard 07:44 – AI used for and against orgs 10:14 – Focus on incident response, not AI SOC 12:34 – Reducing cost of prolonged incidents 14:01 – Cybersecurity changing every 2 months 16:58 – AI causing rapid skill loss 21:59 – AI-assisted job interviews detected 24:49 – AI lacks business context for blocking 27:30 – Daily AI use pays long-term dividends Links: Connect with our guest, Chris Cochran: https://www.linkedin.com/in/chrishvm/ Check out our upcoming events: https://www.hackervalley.com/livestreams Join our creative mastermind and stand out as a cybersecurity professional: https://www.patreon.com/hackervalleystudio Love Hacker Valley Studio? Pick up some swag: https://store.hackervalley.com Continue the conversation by joining our Discord: https://hackervalley.com/discord Become a sponsor of the show to amplify your brand: https://hackervalley.com/work-with-us/
Episode 123: In this episode of Critical Thinking - Bug Bounty Podcast we're back with part 2 of Rez0's miniseries. Today we talk about mastering Prompt Injection, taxonomy of impact, and both triggering traditional Vulns and exploiting AI-specific features.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor - ThreatLocker User Storehttps://www.criticalthinkingpodcast.io/tl-userstore====== This Week in Bug Bounty ======Earning a HackerOne 2025 Live Hacking Invitehttps://www.hackerone.com/blog/earning-hackerone-2025-live-hacking-inviteHTTP header hacks: basic and advanced exploit techniques exploredhttps://www.yeswehack.com/learn-bug-bounty/http-header-exploitation====== Resources ======Grep.apphttps://vercel.com/blog/migrating-grep-from-create-react-app-to-next-jsGemini 2.5 Pro prompt leakhttps://x.com/elder_plinius/status/1913734789544214841Pliny's CL4R1T4Shttps://github.com/elder-plinius/CL4R1T4SO3https://x.com/pdstat/status/1913701997141803329====== Timestamps ======(00:00:00) Introduction(00:05:25) Grep.app, O3, and Gemini 2.5 Pro prompt leak(00:11:09) Delivery and impactful action(00:20:44) Mastering Prompt Injection(00:30:36) Traditional vulns in Tool Calls, and AI Apps(00:37:32) Exploiting AI specific features
In this episode of Crazy Wisdom, I, Stewart Alsop, sit down with Naman Mishra, CTO of Repello AI, to unpack the real-world security risks behind deploying large language models. We talk about layered vulnerabilities—from the model, infrastructure, and application layers—to attack vectors like prompt injection, indirect prompt injection through agents, and even how a simple email summarizer could be exploited to trigger a reverse shell. Naman shares stories like the accidental leak of a Windows activation key via an LLM and explains why red teaming isn't just a checkbox, but a continuous mindset. If you want to learn more about his work, check out Repello's website at repello.ai.Check out this GPT we trained on the conversation!Timestamps00:00 - Stewart Alsop introduces Naman Mishra, CTO of Repel AI. They frame the episode around AI security, contrasting prompt injection risks with traditional cybersecurity in ML apps.05:00 - Naman explains the layered security model: model, infrastructure, and application layers. He distinguishes safety (bias, hallucination) from security (unauthorized access, data leaks).10:00 - Focus on the application layer, especially in finance, healthcare, and legal. Naman shares how ChatGPT leaked a Windows activation key and stresses data minimization and security-by-design.15:00 - They discuss red teaming, how Repel AI simulates attacks, and Anthropic's HackerOne challenge. Naman shares how adversarial testing strengthens LLM guardrails.20:00 - Conversation shifts to AI agents and autonomy. Naman explains indirect prompt injection via email or calendar, leading to real exploits like reverse shells—all triggered by summarizing an email.25:00 - Stewart compares the Internet to a castle without doors. Naman explains the cat-and-mouse game of security—attackers need one flaw; defenders must lock every door. LLM insecurity lowers the barrier for attackers.30:00 - They explore input/output filtering, role-based access control, and clean fine-tuning. Naman admits most guardrails can be broken and only block low-hanging fruit.35:00 - They cover denial-of-wallet attacks—LLMs exploited to run up massive token costs. Naman critiques DeepSeek's weak alignment and state bias, noting training data risks.40:00 - Naman breaks down India's AI scene: Bangalore as a hub, US-India GTM, and the debate between sovereignty vs. pragmatism. He leans toward India building foundational models.45:00 - Closing thoughts on India's AI future. Naman mentions Sarvam AI, Krutrim, and Paris Chopra's Loss Funk. He urges devs to red team before shipping—"close the doors before enemies walk in."Key InsightsAI security requires a layered approach. Naman emphasizes that GenAI applications have vulnerabilities across three primary layers: the model layer, infrastructure layer, and application layer. It's not enough to patch up just one—true security-by-design means thinking holistically about how these layers interact and where they can be exploited.Prompt injection is more dangerous than it sounds. Direct prompt injection is already risky, but indirect prompt injection—where an attacker hides malicious instructions in content that the model will process later, like an email or webpage—poses an even more insidious threat. Naman compares it to smuggling weapons past the castle gates by hiding them in the food.Red teaming should be continuous, not a one-off. One of the critical mistakes teams make is treating red teaming like a compliance checkbox. Naman argues that red teaming should be embedded into the development lifecycle, constantly testing edge cases and probing for failure modes, especially as models evolve or interact with new data sources.LLMs can unintentionally leak sensitive data. In one real-world case, a language model fine-tuned on internal documentation ended up leaking a Windows activation key when asked a completely unrelated question. This illustrates how even seemingly benign outputs can compromise system integrity when training data isn't properly scoped or sanitized.Denial-of-wallet is an emerging threat vector. Unlike traditional denial-of-service attacks, LLMs are vulnerable to economic attacks where a bad actor can force the system to perform expensive computations, draining API credits or infrastructure budgets. This kind of vulnerability is particularly dangerous in scalable GenAI deployments with limited cost monitoring.Agents amplify security risks. While autonomous agents offer exciting capabilities, they also open the door to complex, compounded vulnerabilities. When agents start reading web content or calling tools on their own, indirect prompt injection can escalate into real-world consequences—like issuing financial transactions or triggering scripts—without human review.The Indian AI ecosystem needs to balance speed with sovereignty. Naman reflects on the Indian and global context, warning against simply importing models and infrastructure from abroad without understanding the security implications. There's a need for sovereign control over critical layers of AI systems—not just for innovation's sake, but for national resilience in an increasingly AI-mediated world.
In this episode of The Eric Ries Show, I sit down with Marten Mickos, a serial tech CEO who has been at the forefront of some of the most transformative moments in open-source technology. From leading MySQL through its groundbreaking journey to guiding HackerOne as a pioneering bug bounty platform, Marten's career is a masterclass in building innovative, trust-driven organizations.Our wide-ranging conversation explores Marten's remarkable journey through tech leadership, touching on his experiences building game-changing companies and, more recently, his work coaching emerging CEOs. We dive deep into the world of open source, company culture, and the nuanced art of leadership.In our conversation today, we talk about the following topics: • How MySQL revolutionized open-source databases and became Facebook's database• The strategic decision to make MySQL open source and leverage Linux distributions• The art of building a beloved open-source project while creating a profitable business model• How a lawsuit solidified MySQL's position in the open-source database market• The role of transparency and direct feedback in building organizational trust• Why Marten was drawn to HackerOne's disruptive approach to cybersecurity• Marten's transition to coaching new CEOs • Marten's unique "contrast framework" for making complex decisions• And much more!—Brought to you by:• Wilson Sonsini – Wilson Sonsini is the innovation economy's law firm. Learn more.• Gusto – Gusto is an easy payroll and benefits software built for small businesses. Get 3 months free.—Where to find Marten Mickos: • LinkedIn: https://www.linkedin.com/in/martenmickos/• Bluesky: https://bsky.app/profile/martenmickos.bsky.social—Where to find Eric:• Newsletter:https://ericries.carrd.co/ • Podcast:https://ericriesshow.com/ • YouTube:https://www.youtube.com/@theericriesshow —In This Episode We Cover:(00:00) Intro(03:15) The first time Eric used MySQL(07:10) The origins of MySQL and how Marten got involved (13:22) Why MySQL pivoted to open source to leverage the power of Linux distros(17:03) Open source vs. closed (18:56) Building profitable open-source companies (24:52) The fearless company culture at MySQL and the Progress lawsuit(29:30) The value of not cutting any corners (33:35) How a dolphin became part of the MySQL logo (35:55) What it was like to build a company of true believers(38:47) Marten's management approach emphasizes kindness and direct feedback (42:12) Marten's hiring philosophy(45:14) Why MySQL sold to Sun Microsystems and tried to avoid Oracle (50:24) How Oracle has made MySQL even better(52:22) Why Marten decided to lead at HackerOne(55:41) An overview of HackerOne(59:31) How HackerOne got started and landed the Department of Defense contract(1:03:19) The trust-building power of transparency(1:08:30) Marten's successor and the state of HackerOne now(1:09:23) Marten's work coaching CEOs(1:14:20) Common issues CEOs struggle with (1:16:45) Marten's contrast framework (1:26:12) The book of Finnish poetry that inspired Marten's love of polarities—You can find the transcript and references at https://www.ericriesshow.com/—Production and marketing byhttps://penname.co/.Eric may be an investor in the companies discussed.
In this episode of the Risk Management Show, we debunk common bug bounty myths and explore what risk managers need to know to enhance their cyber security strategies. Joining us is Will Kapcio, Sales Engineer Manager at HackerOne, the world leader in hacker-powered security. Will shares expert insights into the realities of bug bounty programs, how private initiatives often outperform public ones, and the critical role they play in identifying vulnerabilities that evade traditional testing methods. We also discuss the findings of HackerOne's latest Hacker-Powered Security Report, including the top vulnerabilities organizations still struggle with, the impact of AI on both attackers and defenders, and practical advice for launching and scaling a successful bug bounty program. Whether you're a Chief Risk Officer, cyber security professional, or simply interested in the intersection of risk management and sustainability, this episode is packed with actionable insights. If you want to be our guest or suggest a guest, send your email to info@globalriskconsult.com with the subject line "Guest Proposal." Don't miss this invaluable di
In this interview, we're excited to have Ilona Cohen to help us understand what changes this new US administration might bring, in terms of cybersecurity regulation. Ilona's insights come partially from her own experiences working from within the White House. Before she was the Chief Legal Officer of HackerOne, she was a senior lawyer to President Obama and served as General Counsel of the White House Office of Management and Budget (OMB). In this hyper-partisan environment, it's easy to get hung up on particular events. Do many of us lack cross-administration historical perspective? Probably. Should we be outraged by the disillusion of the CSRB, or was this a fairly ordinary occurrence when a new administration comes in? These are the kinds of questions I'll be posing to Ilona in this conversation. How the Change Healthcare breach can prompt real cybersecurity change 'Shift Left' feels like a cliché at this point, but it's often difficult to track tech and security movements if you aren't interacting with practitioners on a regular basis. Some areas of tech have a longer tail when it comes to late adopters and laggards, and application security appears to be one of these areas. In this interview, Jenn Gile catches us up on AppSec trends. Segment Resources: Microsoft Defender for Cloud Natively Integrates with Endor Labs 2024 Dependency Management Report How to pick the right SAST tool In the enterprise security news, Change Healthcare's HIPAA fine is vanishingly small How worried should we be about the threat of AI models? What about the threat of DeepSeek? And the threat of employees entering sensitive data into GenAI prompts? The myth of trillion-dollar cybercrime losses are alive and well! Kagi Privacy Pass gives you the best of both worlds: high quality web searches AND privacy/anonymity Thanks to the UK for letting everyone know about end-to-end encryption for iCloud! What is the most UNHINGED thing you've ever seen a security team push on employees? All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-395
In this interview, we're excited to have Ilona Cohen to help us understand what changes this new US administration might bring, in terms of cybersecurity regulation. Ilona's insights come partially from her own experiences working from within the White House. Before she was the Chief Legal Officer of HackerOne, she was a senior lawyer to President Obama and served as General Counsel of the White House Office of Management and Budget (OMB). In this hyper-partisan environment, it's easy to get hung up on particular events. Do many of us lack cross-administration historical perspective? Probably. Should we be outraged by the disillusion of the CSRB, or was this a fairly ordinary occurrence when a new administration comes in? These are the kinds of questions I'll be posing to Ilona in this conversation. How the Change Healthcare breach can prompt real cybersecurity change 'Shift Left' feels like a cliché at this point, but it's often difficult to track tech and security movements if you aren't interacting with practitioners on a regular basis. Some areas of tech have a longer tail when it comes to late adopters and laggards, and application security appears to be one of these areas. In this interview, Jenn Gile catches us up on AppSec trends. Segment Resources: Microsoft Defender for Cloud Natively Integrates with Endor Labs 2024 Dependency Management Report How to pick the right SAST tool In the enterprise security news, Change Healthcare's HIPAA fine is vanishingly small How worried should we be about the threat of AI models? What about the threat of DeepSeek? And the threat of employees entering sensitive data into GenAI prompts? The myth of trillion-dollar cybercrime losses are alive and well! Kagi Privacy Pass gives you the best of both worlds: high quality web searches AND privacy/anonymity Thanks to the UK for letting everyone know about end-to-end encryption for iCloud! What is the most UNHINGED thing you've ever seen a security team push on employees? All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-395
In this interview, we're excited to have Ilona Cohen to help us understand what changes this new US administration might bring, in terms of cybersecurity regulation. Ilona's insights come partially from her own experiences working from within the White House. Before she was the Chief Legal Officer of HackerOne, she was a senior lawyer to President Obama and served as General Counsel of the White House Office of Management and Budget (OMB). In this hyper-partisan environment, it's easy to get hung up on particular events. Do many of us lack cross-administration historical perspective? Probably. Should we be outraged by the disillusion of the CSRB, or was this a fairly ordinary occurrence when a new administration comes in? These are the kinds of questions I'll be posing to Ilona in this conversation. How the Change Healthcare breach can prompt real cybersecurity change Show Notes: https://securityweekly.com/esw-395
Kara Sprague is the Chief Executive Officer at HackerOne. In this episode, she joins host Amanda Glassner to discuss her experience as a woman in cybersecurity, the benefits that diverse perspectives bring to a leadership team, the value of recruitment and retention, and more, as well as what's next for HackerOne. • For more on cybersecurity, visit us at https://cybersecurityventures.com
HackerOne's co-founder, Michiel Prins walks us through the latest new offensive security service: AI red teaming. At the same time enterprises are globally trying to figure out how to QA and red team generative AI models like LLMs, early adopters are challenged to scale these tests. Crowdsourced bug bounty platforms are a natural place to turn for assistance with scaling this work, though, as we'll discuss on this episode, it is unlike anything bug hunters have ever tackled before. Segment Resources: https://www.hackerone.com/ai/snap-ai-red-teaming https://www.hackerone.com/thought-leadership/ai-safety-red-teaming This interview is a bit different from our norm. We talk to the founder and CEO of OpenVPN about what it is like to operate a business based on open source, particularly through trying times like the recent pandemic. How do you compete when your competitors are free to build products using your software and IP? It seems like an oxymoron, but an open source-based business actually has some significant advantages over the closed source commercial approach. In this week's enterprise security news, the first cybersecurity IPO in 3.5 years! new companies new tools the fate of CISA and the cyber safety review board things we learned about AI in 2024 is the humanless SOC possible? NGFWs have some surprising vulnerabilities what did generative music sound like in 1996? All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-391
HackerOne's co-founder, Michiel Prins walks us through the latest new offensive security service: AI red teaming. At the same time enterprises are globally trying to figure out how to QA and red team generative AI models like LLMs, early adopters are challenged to scale these tests. Crowdsourced bug bounty platforms are a natural place to turn for assistance with scaling this work, though, as we'll discuss on this episode, it is unlike anything bug hunters have ever tackled before. Segment Resources: https://www.hackerone.com/ai/snap-ai-red-teaming https://www.hackerone.com/thought-leadership/ai-safety-red-teaming This interview is a bit different from our norm. We talk to the founder and CEO of OpenVPN about what it is like to operate a business based on open source, particularly through trying times like the recent pandemic. How do you compete when your competitors are free to build products using your software and IP? It seems like an oxymoron, but an open source-based business actually has some significant advantages over the closed source commercial approach. In this week's enterprise security news, the first cybersecurity IPO in 3.5 years! new companies new tools the fate of CISA and the cyber safety review board things we learned about AI in 2024 is the humanless SOC possible? NGFWs have some surprising vulnerabilities what did generative music sound like in 1996? All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-391
HackerOne's co-founder, Michiel Prins walks us through the latest new offensive security service: AI red teaming. At the same time enterprises are globally trying to figure out how to QA and red team generative AI models like LLMs, early adopters are challenged to scale these tests. Crowdsourced bug bounty platforms are a natural place to turn for assistance with scaling this work, though, as we'll discuss on this episode, it is unlike anything bug hunters have ever tackled before. Segment Resources: https://www.hackerone.com/ai/snap-ai-red-teaming https://www.hackerone.com/thought-leadership/ai-safety-red-teaming Show Notes: https://securityweekly.com/esw-391
Episode 98: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Sharon,to discuss his journey from early iOS development to leading a research team at Claroty. They address the differences between HackerOne and Pwn2Own, and talk through some intricacies of IoT security, and some less common IoT attack surfaces.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - ThreatLocker: Check out Network Control!https://www.criticalthinkingpodcast.io/tl-ncAnd AssetNote: Check out their ASMR board (no not that kind!)https://assetnote.io/asmrToday's Guest: https://sharonbrizinov.com/ResourcesThe Claroty Research Teamhttps://claroty.com/team82Pwntoolshttps://github.com/Gallopsled/pwntoolsScan My SMShttp://scanmysms.comGotta Catch 'Em All: Phishing, Smishing, and the birth of ScanMySMShttps://www.youtube.com/watch?v=EhNsXXbDp3UTimestamps(00:00:00) Introduction(00:03:31) Sharon's Origin Story(00:21:58) Transition to Bug Bounty and Pwn2Own vs HackerOne(00:47:05) IoT/ICS Hacking Methodology(01:10:13) Cloud to Device Communication(01:18:15) Bug replication and uncommon attack surfaces(01:30:58) Documentation tracker, reCaptcha bypass, and ScanMySMS
In this episode of "Screaming in the Cloud," we're making sure things are nice and secure thanks to Ryan Nolette, Senior Security Engineer at AWS Outreach. As a part of the Outreach team, he's responsible for making everyone understand the nuances of AWS's Vulnerability Disclosure Program. Corey and Ryan explore the intricacies of AWS's approach to security, including the emphasis on communication with researchers. You'll also get an overview of what goes into Vulnerability Disclosure Programs and how it courts security researchers over “security researchers.” If there's anything you can take away from this episode, it's that Ryan takes great pride in AWS's commitment to transparency and collaboration when it comes to resolving potential security flaws.Show Highlights(0:00) Intro(0:38) Blackblaze sponsor read(1:06) The role of AWS' security team outreach group(2:21) The nuance of the Vulnerability Disclosure Program(4:05) Will the VDP program replace human interactions(10:08) Response disclosure vs. coordinated disclosure(15:26) The high-quality communication of the AWS security team(17:33) Gitpod sponsor read(18:45) Security researchers vs. "security researchers"(25:54) What's next for the VDP Program?(29:26) Avoiding "security by obscurity"(32:08) Being intentional with security messaging(36:16) Where you can find more from RyanAbout Ryan NoletteRyan is AWS's Senior Security Engineer for the Outreach Team and CoAuthor of AWS Detective. He has previously held a variety of roles including threat research, incident response consulting, and every level of security operations. With almost 2 decades in the infosec field, Ryan has been on the development and operations side of companies such as Postman, Sqrrl, Carbon Black, Crossbeam Systems, SecureWorks and Fidelity Investments. Ryan has been an active speaker and writer on threat hunting and endpoint securityLinksAWS VDP on HackerOne: hackerone.com/aws_vdpAWS VDP inbox: aws-security@amazon.comLinkedIn: www.linkedin.com/in/cloudy-with-a-chance-of-securityAWS Vulnerability Reporting site: https://aws.amazon.com/security/vulnerability-reporting/Give your feedback on the recently expanded VDP program: https://pulse.aws/survey/MOOFGRLMSponsorsBackblaze: https://www.backblaze.com/Gitpod: gitpod.io
For this interview, Ben from CyberNest joins us to talk about one of my favorite subjects: information sharing in infosec. There are so many amazing skills, tips, techniques, and intel that security professionals have to share. Sadly, a natural corporate reluctance to share information viewed as privileged and private has historically had a chilling effect on information sharing. We'll discuss how to build such a community, how to clear the historical hurdles with information sharing, and how to monetize it without introducing bias and compromising the integrity of the information shared. Aaron was already a skilled bug hunter and working at HackerOne as a triage analyst at the time. What he discovered can't even be described as a software bug or a vulnerability. This type of finding has probably resulted in more security incidents and breaches than any other category: the unintentional misconfiguration. There's a lot of conversation right now about the grey space around 'shared responsibility'. In our news segment later, we'll also be discussing the difference between secure design and secure defaults. The recent incidents revolving around Snowflake customers getting compromised via credential stuffing attacks is a great example of this. Open AWS S3 buckets are probably the best known example of this problem. At what point is the service provider responsible for customer mistakes? When 80% of customers are making expensive, critical mistakes? Doesn't the service provider have a responsibility to protect its customers (even if it's from themselves)? These are the kinds of issues that led to Aaron getting his current job as Chief of SaaS Security Research at AppOmni, and also led to him recently finding another common misconfiguration - this time in ServiceNow's products. Finally, we'll discuss the value of a good bug report, and how it can be a killer addition to your resume if you're interested in this kind of work! Segment Resources: Aaron's blog about the ServiceNow data exposure. The ServiceNow blog, thanking AppOmni for its support in uncovering the issue. In the enterprise security news, Eon, Resolve AI, Harmonic and more raise funding Dragos acquires Network Perception Prevalent acquires Miratech The latest DFIR reports A spicy security product review Secure by Whatever New threats Hot takes All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-379
On this episode of The Table with Anthony ONeal, we're joined by Arlan Hamilton founder of Backstage Capital and HireRunner.co, remarkable entrepreneur, author, investor, and speaker. She shares invaluable insights on entrepreneurship, the start of her investment journey, and how she made her first million dollars at 40 years old. Arlan's story is a testament to resilience and determination, proving that it's never too late to transform your financial future and the power of perseverance.
On this episode of The Table with Anthony ONeal, we welcome Latasha Morrison, New York Times bestselling author of "Be The Bridge." Latasha shares insights from her latest book, "Brown Faces, White Spaces: Confronting Systemic Racism to Bring Healing and Restoration." She discusses her life journey, the ongoing struggle for equality and equity for Black people, and the history of redlining. Latasha's profound understanding of systemic racism provides a roadmap for healing and restoration, making this episode an essential listen for anyone committed to social justice. Join us as we delve into her powerful message and learn how we can all contribute to a more equitable society.
On this episode of The Table with Anthony ONeal, we explore alternative strategies for wealth building that don't rely solely on the traditional 40-hour workweek. AO dives deep into the importance of prioritizing budgeting to manage finances effectively and discuss the benefits of pursuing entrepreneurship as a path to financial success. Join us as we share insights, tips, and actionable advice to help you achieve financial freedom and create a more flexible and fulfilling lifestyle.Mentioned On Today's Show:
On this episode of The Table with Anthony ONeal, Travis Greene joins to share his profound insights on aligning your desires with God's plan. Travis discusses the importance of asking what God wants for you, rather than just focusing on your own wants. He and AO delves into the necessity of learning how to plan without succumbing to jealousy towards others who may seem to be succeeding. Travis emphasizes that God's plan for you is unique, and there's no need to compare your journey with anyone else's. Tune in to gain valuable wisdom on finding peace and purpose in God's path for your life.
On this episode of The Table with Anthony ONeal, we share five transformative books that can lead you to generational wealth. AO carefully selected each book to provide valuable insights, strategies, and inspiration for achieving financial success. From timeless classics to modern gems, these books cover a range of topics such as wealth mindset, investment strategies, personal finance management, and entrepreneurship. Tune in as we explore how these books can empower you with the knowledge and tools needed to make informed decisions, build wealth, and create a prosperous future. Don't miss out on this enriching episode filled with actionable wisdom!Mentioned On Today's Show:**This show is sponsored and brought to you by Better Help!**
On this episode of The Table with Anthony ONeal, we sit down with Marilyn Mosby, who was wrongfully convicted of two counts of perjury and one count of mortgage fraud, potentially facing up to 40 years in federal prison. As her sentencing date approaches on May 23, 2024, civil rights organizations, including the NAACP, rally for a presidential pardon for Mosby. Join us as she courageously shares her side of the story, shedding light on the challenges of navigating the legal system and advocating for justice. Tune in to gain insights into Mosby's journey and the broader implications of her case on civil rights and the justice system.
On this episode of The Table with Anthony O'Neal, we share the vital strategies for selling your car without overpaying. Before stepping into the market, it's essential to define your preferences and requirements clearly. AO guides you through the process of evaluating your needs, setting a budget, and conducting comprehensive research to uncover the best opportunities. With a solid understanding and a strategic approach, you'll navigate the car-selling journey with confidence, ensuring that you receive optimal value for your vehicle. Tune in to discover actionable insights, make informed choices, and steer clear of common pitfalls in selling your car!Mentioned On Today's Show:
© 2020-2025 Ivy Podcast Discovery LLC
